Fernan Aguero
2010-Jul-12 18:30 UTC
disable (new)syslog rotation and raise securelevel ... possible?
Hi, I'd like to harden my FreeBSD installation, and thus would like to, e.g. i) chflags sappnd /var/log/* ii) raise the securelevel of the system Is this possible? I've read elsewhere that newsyslog would not work in such a system ... what are the possible workarounds? I wouldn't bother taking the system down once a week or every other week, and manually lowering the securelevel, running newsyslog, etc. Is there a guide somewhere on how to go about this? Thanks! -- fernan
Bryan Drewery
2010-Jul-12 22:53 UTC
disable (new)syslog rotation and raise securelevel ... possible?
Fernan, You can disable newsyslog by adding newsyslog_enable="NO" to your /etc/rc.conf or /etc/rc.conf.local Also be aware that you will need to reboot with kern_securelevel_enable="NO" in one of those files, to lower the securelevel. You should also consider a remote syslog host. Bryan Fernan Aguero wrote:> Hi, > > I'd like to harden my FreeBSD installation, and thus would like to, e.g. > > i) chflags sappnd /var/log/* > ii) raise the securelevel of the system > > Is this possible? I've read elsewhere that newsyslog would not work in > such a system ... what are the possible workarounds? > > I wouldn't bother taking the system down once a week or every other > week, and manually lowering the securelevel, running newsyslog, etc. > Is there a guide somewhere on how to go about this? > > Thanks! > >
Xin LI
2010-Jul-12 23:41 UTC
disable (new)syslog rotation and raise securelevel ... possible?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/07/12 11:04, Fernan Aguero wrote:> Hi, > > I'd like to harden my FreeBSD installation, and thus would like to, e.g. > > i) chflags sappnd /var/log/* > ii) raise the securelevel of the system > > Is this possible? I've read elsewhere that newsyslog would not work in > such a system ... what are the possible workarounds? > > I wouldn't bother taking the system down once a week or every other > week, and manually lowering the securelevel, running newsyslog, etc. > Is there a guide somewhere on how to go about this?Speaking for your question, disabling newsyslog can be done by removing the corresponding line in your /etc/crontab. However, the use of system flags is usually dangerous, I don't really consider them as very useful mechanisms for hardening your installation. Logging remotely to a dedicated and secured central logging server could be a better (as long as you have control to your internal network) alternative, since the attacker has to take down two systems, rather than one, in order to erase their foot prints. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iQEcBAEBCAAGBQJMO6gRAAoJEATO+BI/yjfByF8IAI4qPKWNJhMqgs/QAk609FTV CTTy96jBi+jUWMq8pek8G8fI1TYV2B2wOhPm8qrq5HSyqdNs+NeSS1WVLhynCu7F xK9ewsa+XBeZlASIbA2fqCT4oktASMAlD7XgMlMqbAo2nhMzyngHL+nqD6UZoC/n IomRwK30W1VTGU1YnY0pMvH5nGrK7+hBqniivwNSijy02zLzjA9mwwH+sTzcDLX9 gucpoDCdmlZcQIWHUWEHFFRoZH9VDlm1UHMmwCSZzy6QEWGiPk4nFH9+EfxMPozU seWZfrHrw1EwGaqizKDSnlMb6eVFhUWmz2hVAZqxol8Yu6JyXBAsgRXvLWI8kME=5taC -----END PGP SIGNATURE-----